[THIN] Security Alert: Apply if you are running MSDE or SQL Server 7 or 2000.
- From: Jim Kenzig <jimkenz@xxxxxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx, windows2000@xxxxxxxxxxxxx
- Date: Tue, 8 Oct 2002 08:56:35 -0400
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-056.asp
Microsoft Security Bulletin MS02-056 Print
Cumulative Patch for SQL Server (Q316333)
Originally posted: October 02, 2002
Summary
Who should read this bulletin: System administrators using Microsoft®
SQL
Server? 7.0, SQL Server 2000, Microsoft Data Engine (MSDE) 1.0, and
Microsoft Desktop Engine (MSDE) 2000.
Impact of vulnerability: Four vulnerabilities, the most serious of which
could enable an attacker to gain control over an affected server.
Maximum Severity Rating: Critical
Recommendation: System administrators should apply the patch to affected
systems.
Affected Software:
* Microsoft SQL Server 7.0
* Microsoft Data Engine (MSDE) 1.0
* Microsoft SQL Server 2000
* Microsoft Desktop Engine (MSDE) 2000
Technical details
Technical description:
This is a cumulative patch that includes the functionality of all
previously released patches for SQL Server 7.0, SQL Server 2000, and
Microsoft Data Engine (MSDE) 1.0, Microsoft Desktop Engine (MSDE) 2000. In
addition, it eliminates four newly discovered vulnerabilities.
* A buffer overrun in a section of code in SQL Server 2000 (and MSDE 2000)
associated with user authentication. By sending a specially malformed login
request to an affected server, an attacker could either cause the server to
fail or gain the ability to overwrite memory on the server, thereby
potentially running code on the server in the security context of the SQL
Server service. It would not be necessary for the user to successfully
authenticate to the server or to be able to issue direct commands to it in
order to exploit the vulnerability.
* A buffer overrun vulnerability that occurs in one of the Database
Console
Commands (DBCCs) that ship as part of SQL Server 7.0 and 2000. In the most
serious case, exploiting this vulnerability would enable an attacker to run
code in the context of the SQL Server service, thereby giving the attacker
complete control over all databases on the server.
* A vulnerability associated with scheduled jobs in SQL Server 7.0 and
2000.
SQL Server allows unprivileged users to create scheduled jobs that will be
executed by the SQL Server Agent. By design, the SQL Server Agent should
only perform job steps that are appropriate for the requesting user?s
privileges. However, when a job step requests that an output file be
created, the SQL Server Agent does so using its own privileges rather than
the job owners privileges. This creates a situation in which an unprivileged
user could submit a job that would create a file containing valid operating
system commands in another user?s Startup folder, or simply overwrite system
files in order to disrupt system operation
The patch also changes the operation of SQL Server, to prevent
non-administrative users from running ad hoc queries against non-SQL OLEDB
data sources. Although the current operation does not represent a security
vulnerability, the new operation makes it more difficult to misuse poorly
coded data providers that might be installed on the server.
Mitigating factors:
Unchecked buffer in SQL Server 2000 authentication function:
* This vulnerability on affects SQL Server 2000 and MSDE 2000. Neither SQL
Server 7.0 nor MSDE 1.0 are affected.
* If the SQL Server port (port 1433) were blocked at the firewall, the
vulnerability could not be exploited from the Internet.
* Exploiting this vulnerability would allow the attacker to escalate
privileges to the level of the SQL Server service account. By default, the
service runs with the privileges of a domain user, rather than with system
privileges.
Unchecked buffer in Database Console Commands:
* Exploiting this vulnerability would allow the attacker to escalate
privileges to the level of the SQL Server service account. By default, the
service runs with the privileges of a domain user, rather than with system
privileges.
* The vulnerability could only be exploited by an attacker who could
authenticate to an affected SQL Server or has permissions to execute queries
directly to the server
* The vulnerability could only be exploited by an attacker who could
authenticate to an affected SQL Server.
Flaw in output file handling for scheduled jobs:
* The vulnerability could only be exploited by an attacker who could
authenticate to an affected SQL server.
Severity Rating:
Unchecked buffer in SQL Server 2000 authentication function:
Internet Servers Intranet Servers Client Systems
SQL Server 7.0 (Including MSDE 1.0) None None None
SQL Server 2000(Including MSDE 2000) Critical Critical None
Unchecked buffer in Database Console Commands:
Internet Servers Intranet Servers Client Systems
SQL Server 7.0 (Including MSDE 1.0) Critical Critical None
SQL Server 2000(Including MSDE 2000) Critical Critical None
Flaw in output file handling for scheduled jobs:
Internet Servers Intranet Servers Client Systems
SQL Server 7.0 (Including MSDE 1.0) Critical Critical None
SQL Server 2000(Including MSDE 2000) Critical Critical None
Aggregate Severity of all issues included in this patch (including issues
addressed in previously released patches):
Internet Servers Intranet Servers Client Systems
SQL Server 7.0 (Including MSDE 1.0) Critical Critical None
SQL Server 2000(Including MSDE 2000) Critical Critical None
The above assessment
<http://www.microsoft.com/technet/security/topics/rating.asp> is based on
the types of systems affected by the vulnerability, their typical deployment
patterns, and the effect that exploiting the vulnerability would have on
them.
Vulnerability identifiers:
* Unchecked buffer in SQL Server 2000 authentication function:
CAN-2002-1123
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1123>
* Unchecked buffer in Database Console Commands: CAN-2002-1137
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1137>
* Flaw in output file handling for scheduled jobs: CAN-2002-1138
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1138>
Tested Versions:
Microsoft tested SQL Server 2000 and SQL Server 7.0 (and their
associated
versions of MSDE) to assess whether they are affected by these
vulnerabilities. Previous versions are no longer supported
<http://support.microsoft.com/directory/discontinue.asp>, and may or may not
be affected by these vulnerabilities.
Frequently asked questions
What vulnerabilities are eliminated by this patch?
This is a cumulative patch that, when applied, address all previously
addressed vulnerabilities. In addition, it eliminates three new
vulnerabilities:
* A vulnerability that could enable an attacker to gain control over a SQL
Server 2000 database.
* A new variant of a vulnerability originally discussed in Microsoft
Security Bulletin MS02-038
<http://www.microsoft.com/technet/security/bulletin/MS02-038.asp>, through
which an already authenticated user could gain additional privileges on a
SQL Server.
* A vulnerability through which a user could potentially cause a program
to
run when another user subsequently logged onto the system or overwrite files
that the SQL Server Agent service would otherwise have access to.
Is this patch cumulative?
This patch does supersede all previously released security patches
involving the SQL Server 7.0 and SQL Server 2000 database engines. However,
applying this patch is not sufficient by itself to fully secure a SQL
Server:
* One security fix for SQL Server 2000, discussed in Microsoft Security
Bulletin MS02-035, requires remediation via a tool rather than a patch. The
tool only needs to be run one time, so customers who have previously run it
do not need to take additional action. However, installing this patch does
not cause the tool to be run.
* The patch does not include any fixes for security vulnerabilities
involving the Microsoft Data Access Components (MDAC) or Online Analytic
Processing (OLAP) technologies for SQL Server. The patches for these issues
(listed in the Caveats section below) must be applied separately.
The Affected Versions section says that Microsoft Desktop Engine (MSDE)
is
also affected by these vulnerabilities. What is MSDE?
Microsoft Desktop Engine
<http://msdn.microsoft.com/library/default.asp?URL=/library/backgrnd/html/ms
deforvs.htm> (MSDE) is a database engine that?s built and based on SQL
Server technology, and which ships as part of several Microsoft products,
including Microsoft Visual Studio and Microsoft Office Developer Edition.
There is a direct connection between versions of MSDE and versions of SQL
Server. MSDE 1.0 is based on SQL Server 7.0; MSDE 2000 is based on SQL
Server 2000.
Does the patch include any other fixes?
The patch also fixes an issue that, while not a security vulnerability
per
se, could nevertheless aid an attacker in taking advantage of a poorly
configured system. Specifically, the patch changes the operation of SQL
Server to restrict unprivileged users to only performing queries against SQL
Server data. In the case where a non-SQL data provider had been installed on
the system, and the driver for the provider did not enforce proper security,
this change would help prevent unprivileged users from abusing the
situation.
Unchecked buffer in SQL Server 2000 authentication function
(CAN-2002-1123):
What?s the scope of this vulnerability?
This is a buffer overrun
<http://www.microsoft.com/technet/security/bulletin/glossary.asp>
vulnerability. By sending a specially malformed login request to an affected
server, an attacker could either cause the SQL Server service to fail or
gain control over the database. It would not be necessary for the user to
successfully authenticate to the server in order to exploit the
vulnerability.
This vulnerability only affects SQL Server 2000 and MSDE 2000. Although
the
vulnerability would provide a way to gain control over the database, it
would not, under default conditions, grant the attacker significant
privileges at the operating system level.
What causes the vulnerability?
The vulnerability results because a function in SQL Server 2000 (and
MSDE
2.0) that handles authentication requests contains an unchecked buffer. By
calling this function with specially chosen parameters, an attacker could
cause a buffer overrun condition to occur.
What authentication requests are you referring to?
Depending on how the server is configured
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/instsql/in
_runsetup_6p9v.asp>, it may use either of two methods to authenticate
users ? SQL Server authentication, or Windows Authentication. However,
before the actual authentication process takes places, SQL Server exchanges
some preliminary information. The vulnerability lies in one of the functions
involved in this preliminary exchange.
What's wrong with the authentication function?
The function suffers from an unchecked buffer. Because of this, it
could be
possible for an attacker to initiate a preliminary exchange in a way that
would overrun the buffer, thereby overwriting memory within the SQL Server
service in the process.
What could this vulnerability enable an attacker to do?
An attacker who was able to successfully exploit this vulnerability
could
do either of two things. If he or she provided random data, the effect of
overwriting the service?s memory would be to cause it to fail. In the case,
the administrator could restore normal operation by restarting the SQL
Server.
On the other hand, by providing carefully chosen data, the attacker
could
modify the SQL Server service to perform new functions he or she chose. The
effect would be to give the attacker full control over the SQL server, and
enable him or her to add, delete or modify data; reconfigure SQL Server
parameters, or take any other desired action on the database.
Who could exploit the vulnerability?
Any user who could engage in an authentication attempt with an affect
SQL
Server ? whether the attempt was successful or not ? could exploit the
vulnerability.
Does that mean that the attacker wouldn?t need a valid SQL Server userid
and password to exploit the vulnerability? Correct. Because of where the
vulnerability resides within the authentication function, the attacker would
not need to be able to log onto the server ? he or she would only need to be
able to deliver the data packets that signify the start of an authentication
attempt.
Could the vulnerability be exploited from the Internet?
It would depend on whether the attacker could engage in an
authentication
exchange. To do this, the SQL Server port (port 1433) would need to be open
at the firewall. If the port were closed (as it should be unless absolutely
necessary), an attacker could not exploit this vulnerability from the
Internet.
I?m running SQL Server 7.0. Could I be affected by this vulnerability?
No. It affects only SQL Server 2000 (and MSDE 2000); it doesn?t affect
SQL
Server 7.0 (or MSDE 1.0). However, SQL Server 7.0 administrators should
still install the patch, as other vulnerabilities discussed in this bulletin
do affect SQL Server 7.0.
How does the patch address this vulnerability?
The patch institutes proper buffer checking the authentication function.
Unchecked buffer in Database Console Commands (CAN-2002-1137):
What?s the scope of this vulnerability?
This is a new variant of a vulnerability originally reported in
Microsoft
Security Bulletin MS02-038
<http://www.microsoft.com/technet/security/bulletin/MS02-038.asp>. Like the
original vulnerability, this is a buffer overrun
<http://www.microsoft.com/technet/security/bulletin/glossary.asp>
vulnerability, through which it could be possible for an attacker to either
cause the SQL Server to fail or gain complete control over the database.
What causes the vulnerability?
The vulnerability results because one of the Database Console Command
(DBCC) utilities provided as part of SQL Server contains unchecked buffers
in the section of code that handle user inputs.
What is the Database Console Command (DBCC)?
DBCC's
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts
_dbcc_217n.asp> are utility programs provided as part of SQL Server 2000.
Their purpose is to provide database administrators with an easy way to
perform common housekeeping tasks. For instance, DBCCs are available to
defragment databases, repair minor errors, show usage statistics, and so
forth. A complete listing of the DBCCs available as part of SQL Server 2000
is included in the SQL Server 2000 online help facility.
How is this vulnerability different from the DBCC vulnerabilities
discussed
in Security Bulletin MS02-038?
This vulnerability is identical to the DBCC vulnerabilities discussed in
Microsoft Security Bulletin MS02-038
<http://www.microsoft.com/technet/security/bulletin/MS02-038.asp> with one
exception. Unlike the DBCCs discussed in MS02-038
<http://www.microsoft.com/technet/security/bulletin/MS02-038.asp>, the one
affected by this variant could be executed by any SQL user.
How does the patch address the vulnerability?
The patch institutes proper buffer handling in the affected DBCC.
Flaw in output file handling for scheduled jobs(CAN-2002-1138):
What?s the scope of this vulnerability?
This vulnerability could enable an attacker to do either of two things:
create a program that would subsequently be executed when another user
logged onto the server, or corrupt system files in an effort to disrupt
system operation.
The vulnerability could only be exploited by an attacker who could
authenticate to the SQL server. In addition, in the first attack scenario
discussed above, the effect of exploiting the vulnerability would depend on
the specific privileges of the user who subsequently logged onto the system.
What causes the vulnerability?
The vulnerability results because, when the SQL Server Agent creates an
output file as part of a scheduled job, it does so using its own privileges
rather than those of the user who owns the job or a configured proxy account
if the job owner is not a system administrator (sysadmin server role member)
in SQL Server or if the job owner is a standard SQL server user.
What is the SQL Server Agent?
The SQL Server Agent
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtech
nol/sql/maintain/optimize/03ppcsqb.asp> is responsible for running scheduled
jobs, restarting the database service and other administrative operations.
What?s a scheduled job?
Scheduled jobs
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adminsql/a
d_automate_5bsp.asp> provide a way to cause the SQL Server to take a
designated action at a particular time. Scheduled jobs are frequently used
by administrators to perform regularly scheduled maintenance tasks such as
backups.
Who can create scheduled jobs?
Any user can create a scheduled job, but the SQL Server Agent will only
execute a particular job step if the requester has appropriate privileges.
What?s wrong with the way the SQL Server Agent processes scheduled jobs?
By design, all job steps in a scheduled job should be carried out using
the
privileges of the person who submitted the job or, in some cases, those of a
proxy account. However, when a job calls for an output file to be created,
the SQL Server Agent does so using its own privileges. Because the SQL
Server Agent service account is often configured with Windows administrative
privileges, this allows a job to create a file anywhere on the system,
regardless of the user?s privileges.
What could this vulnerability enable an attacker to do?
An attacker who successfully exploited the vulnerability could create a
file on the system, for either of two purposes:
* Disrupting system operation. By overwriting system files with random
data,
the attacker could potentially cause the system to fail.
* Causing other users to run program?s of the attacker?s choice. By
creating
an output file that contained valid operating system commands, and placing
it in the appropriate folder (e.g., another user?s Startup folder), the
attacker could cause the commands to be execute the next time another user
logged onto the system.
How could an attacker exploit this vulnerability?
An attacker would only need the ability to log onto an affected server
to
exploit the vulnerability. He or she could then create a scheduled job that
creates an output file, submit it, and thereby exploit the vulnerability.
If the attacker overwrote system files, what would be needed in order to
resume normal operation?
It would depend on which files were overwritten. It might only require
that
the administrator restart the service. However, in the worst case, the
administrator might need to restore system files using an emergency repair
disk
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnntpro00/
html/ntp0063.asp>.
If the attacker created a program in another user?s Startup folder, what
could it do?
It would depend on the privileges the user had. Anything the user could
do,
the program also could do.
How does the patch address the vulnerability?
The patch causes SQL Server Agent to use the job owner's credentials if
the
connection is a Windows Authenticated user, or the proxy account's
credentials if the connection is a SQL Server authenticated user, when
determining who has the right to produce an output file from a job step. As
a result, users' jobs will still be able to create output files, but only in
areas where the user or the proxy account's privileges permit.
Patch availability
Download locations for this patch
* Microsoft SQL Server 7.0:
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q327068&sd=tech>
* Microsoft SQL Server 2000:
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech>
Additional information about this patch
Installation platforms:
* The SQL Server 7.0 patch can be installed on systems running SQL Server
7.0 Service Pack 4 <http://www.microsoft.com/sql/downloads/sp4.asp>.
* The SQL Server 2000 patch can be installed on systems running SQL Server
2000 Service Pack 2 <http://microsoft.com/sql/downloads/2000/sp2.asp>.
Inclusion in future service packs:
The fix for this issue will be included in SQL Server 2000 Service Pack
3.
Reboot needed: No. It is only necessary to restart the SQL Services
Patch can be uninstalled: The readme.txt contained in the downloadable
packages contains uninstall instructions.
Superseded patches:This patch supersedes the one provided in Microsoft
Security Bulletin MS02-043
<http://www.microsoft.com/technet/security/bulletin/MS02-043.asp>, which was
itself a cumulative patch.
Verifying patch installation:
* SQL Server 7.0:
To ensure you have the fix installed properly, verify the individual files
by consulting the date/time stamp of the files listed in the file manifest
in Microsoft Knowledge Base article at
<http://support.microsoft.com/support/misc/kblookup.asp?id=Q327068>
* SQL Server 2000:
To ensure you have the fix installed properly, verify the individual files
by consulting the date/time stamp of the files listed in the file manifest
in Microsoft Knowledge Base article at
<http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333>
Caveats:
* This patch does not include the functionality of the Killpwd tool
provided
in Microsoft Security Bulletin MS02-035.
* The patch does not supersede any previously released patches for MDAC or
OLAP under SQL Server 2000. At this writing, these patches include the ones
discussed in:
* Microsoft Security Bulletin MS00-092
<http://www.microsoft.com/technet/security/bulletin/MS00-092.asp>
* Microsoft Security Bulletin MS01-041
<http://www.microsoft.com/technet/security/bulletin/MS01-041.asp>
* Microsoft Security Bulletin MS02-030
<http://www.microsoft.com/technet/security/bulletin/MS02-030.asp>
* The process for installing the patch varies somewhat depending on the
specific configuration of the server. System administrators should ensure
that they read the Readme.txt file in the patch package to ensure the patch
is installed correctly.
Localization:
Localized versions of this patch are available at the locations
discussed
in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following
locations:
* Security patches are available from the Microsoft Download Center
<http://www.microsoft.com/downloads/search.asp?Search=Keyword&Value='securit
y_patch'&OpSysID=1>, and can be most easily found by doing a keyword search
for "security_patch".
* Patches for consumer platforms are available from the WindowsUpdate
<http://windowsupdate.microsoft.com/> web site
Other information:
Acknowledgments
Microsoft thanks </technet/security/bulletin/policy.asp>the following
individuals:
* Issue regarding ad hoc queries against non-SQL OLEDB data sources:
sk@xxxxxxxxxxxxxxxxxxx and pokleyzz@xxxxxxxxxxxxxxxxxxx
* Unchecked buffer in Database Console Commands:
Martin Rakhmanoff (jimmers@xxxxxxxxx)
Support:
* Microsoft Knowledge Base article Q316333 discusses this issue and will
be
available approximately 24 hours after the release of this bulletin.
Knowledge Base articles can be found on the Microsoft Online Support
<http://support.microsoft.com/?scid=fh;en-us;kbhowto> web site.
* Technical support is available from Microsoft Product Support Services
<http://support.microsoft.com/directory/question.asp?sd=gn&fr=0>. There is
no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security
</technet/security/default.asp> Web Site provides additional information
about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge
Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages, even
if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
* V1.0 (October 02, 2002): Bulletin Created
**********************************************
This weeks sponsor 99Point9.com
99Point9 helps solve your unresolved technical
server-based questions, issues and incidents.
http://www.99point9.com
***********************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link.
http://thethin.net/citrixlist.cfm
Other related posts:
- » [THIN] Security Alert: Apply if you are running MSDE or SQL Server 7 or 2000.
